heads up: tcpwrappers support going away
cloos at jhcloos.com
Wed Apr 23 08:31:27 EST 2014
>>>>> "DM" == Damien Miller <djm at mindrot.org> writes:
DM> This is an early warning: OpenSSH will drop tcpwrappers in the next
This will need a wider announcement. Most auto-block solutions I've
looked at add entries to hosts.allow. Everyone using such will need
to adapt their setup to cope.
Several use the notion of of a spawn line in hosts.allow. With the
loss of tcpwrapper, openssh should add an option to run a command
for each incomming conenction (before it sends the banner, et alia)
which can check for abuse patterns and add (or expire) a packet filter.
The external should be expected to return zero to permit the connection
or non-zero to prevent it, plus perform any side-effects the admin wants.
James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
More information about the openssh-unix-dev